About the File Integrity Monitor task
3 August 2023
The File Integrity Monitor task is designed to track actions performed with the specified files and folders in the monitoring scopes specified in the task settings. You can use the task to detect file changes that may indicate a security breach on the protected device. You can also configure file changes to be tracked during periods in which monitoring is interrupted.
A monitoring interruption occurs when the monitoring scope temporarily falls outside the scope of the task, e.g. if the task is stopped or if an external device is not physically present on a protected device. Kaspersky Industrial CyberSecurity for Nodes reports detected file operations in the monitoring scope as soon as an external device is reconnected.
If the tasks stops running in the specified monitoring scope due to a reinstallation of the File Integrity Monitor component, this does not constitute a monitoring interruption. In this case, the File Integrity Monitor task is not run.
Requirements on the environment
To start the File Integrity Monitor task, the following conditions must be satisfied:
- ReFS or NTFS file systems must be used on the protected device.
- The Windows USN Journal must be enabled. The component queries this journal to receive information about file operations.
If you enable USN Journal after a rule has been created for a volume and the File Integrity Monitor task has been started, the task must be restarted. If not, the rule will not be applied during monitoring.
Excluded monitoring scopes
You can create excluded monitoring scopes. Exclusions are specified for each separate rule and work only for the indicated monitoring scope. You can specify an unlimited number of exclusions for each rule.
Exclusions have higher priority than the monitoring scope and are not monitored by the task, even if an indicated folder or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope at a lower level than a folder specified in exclusions, the monitoring scope is not considered when the task is run.
To specify exclusions, you can use the same masks that are used to specify monitoring scopes.